Azure Active Directory Users Now Have Access to Tenant Restrictions

Microsoft added a couple of new Azure Active Directory capabilities this week, including a new control capability that's available commercially.

Organizations using Azure Active Directory can now ratchet down access to software-as-a-service (SaaS) applications in shared-tenant scenarios. This new "Tenant Restrictions" capability, released commercially ("general availability") this week for Azure AD users, is designed to meet the compliance requirements of large organizations.

In addition, Microsoft this week announced that it had turned on additional capabilities for its Azure AD B2B preview, which is designed to make it easier for organizations to collaborate with external users.

Tenant Restrictions
The Tenant Restrictions capability is for large organizations that may fear information leakage because end users are accessing hosted applications from shared infrastructure. End users in an organization typically access those applications using a common domain name, such as outlook.office.com.

Since SaaS applications typically get accessed via shared datacenter infrastructure, large organizations may want to ensure that their users only connect to their SaaS apps, instead of other organization's SaaS apps, within that shared infrastructure. Microsoft's new Tenant Restrictions compliance solution is designed to permit organizations to specify a list of tenants that their end users can only access. It's a sort of whitelisting process for organizations that use Azure AD for single sign-on access to SaaS apps.

Using the Tenant Restrictions capability requires configuring a proxy server within an organization's IT infrastructure. The proxy server will send a new header, called "Restrict-Access-To-Tenants," which also includes a list of the tenants used by an organization. If an end user tries to access a tenant that's not on this list, then they will get blocked with a "You can't get there from here" message.

The details and requirements for enabling Tenant Restrictions are described in this Microsoft document for Office 365 SaaS applications. However, the article added that the Tenant Restrictions feature "should work with any SaaS cloud app that uses modern authentication protocols with Azure AD for single sign-on," and not just with Office 365 apps.

The "modern authentication" phrase mentioned above is Microsoft's terminology referring to any application that can work with the Active Directory Authentication Library (ADAL). The ADAL provides a means for developers to "obtain access tokens for securing API calls," according to this MSDN article's definition. Most of the more current Office 365 applications reached general availability in terms of having modern authentication support back in May, although some are at the preview stage, Microsoft had announced previously. The exceptions that won't work seem to be older Office applications, such as Office 2007, Office 2010 and Office for Mac 2011, which lack ADAL authentication capabilities.

Updates to Azure AD B2B Preview
Microsoft's Azure AD B2B preview is designed for business-to-business communications. Users can send invitations to people external to an organization for collaboration purposes. This capability is still at the preview stage from its early introduction back in September of 2015.

Microsoft announced this week that it has added to the Azure AD B2B preview's capabilities. Some of the highlights for IT pros include PowerShell support and "auditing and reporting capabilities." It's now possible to delegate the responsibility for issuing invitations for Azure AD B2B guest accounts to users who aren't administrators. Organizations using the service can now enforce multifactor authentication. Microsoft is also providing APIs for customization purposes, as well as the ability to add brands to invitation e-mails, among other improvements.

Microsoft is steering its Azure AD B2B capability toward commercial release, but the general timeline wasn't indicated. Microsoft sees Azure B2B as being valuable to organizations of all sizes, including ones with "complex compliance and governance requirements," according to its announcement.